As with most emerging viruses, coverage for this malware in the anti-virus community is quite pathetic at the moment. They will certainly catch up soon, but the current scan at VirusTotal revealed only SIX of Thirty-Three AV products could detect this virus. Detection was not present for any of the leading AV products, including McAfee, Symantec, and Trend Micro. Microsoft also fails to detect at this time.

The handful of you who follow my annual book list know that in addition to my science fiction and haiku poetry diet, I read books on world politics, terrorism, and the intelligence community. I don't normally talk about them here, but this week I read a book that I believe would be a Must Read.

Ronald Kessler's book, The Terrorist Watch: Inside the Desperate Race To Stop the Next Attack could not have been written by anyone other than the columnist of The Washington Insider. As a long-time member of the FBI Fan Club, I was surprised by the things Kessler revealed that I simply didn't know about the Bureau and the War on Terror. Especially after his crucifixion of former FBI Director Louis Freeh (1993-2001) in his book "The Bureau: The Secret History of the FBI", I really hadn't imagined what a good friend of the Bureau Kessler could be.

Kessler takes a few current FBI Myths and jumps straight to the source, asking for, and getting, unprecedented access, including interviews in their environment, with Willie Hulon, then the Executive Assistant Director of the FBI's National Security Branch, Art Cummins, then the Deputy Director of the National Counterterrorism Center (he since took Willie's old job), FBI Director Robert Mueller, CIA Director Michael Hayden, and White House advisor on counterterrorism Fran Townsend, are just some of the highlights of his Who's Who in Counter Terrorism tour.

Myth: The CIA and FBI don't share information

Response: Kessler gives us a guided tour of the National CounterTerrorism Center (NCTC), spending a great deal of time on the layout of the 10,000 square-foot operations center which has the FBI's Counterterrorism Division watch center on one end, and the CIA's Counterterrorism Center's watch center on the other end. No walls separate the entire workspace, and Kessler explains in detail how the analysts from sixteen different intelligence agencies interact in the space, and share information to keep the "mother of all databases", the Terrorist Information Datamart Environment, up to date and synchronized with what is known by each of the intelligence agencies. In a chapter called "Dr. Strangelove", Kessler walks us through what happens in the daily "SVTCs" - the all agency briefings that are run from the NCTC at 8 AM, 3 PM, and 1 AM, seven days a week.

One of the biggest challenges to understand, and one that still receives a great deal of criticism, is how the FBI can go about being both an Intelligence Agency and a Law Enforcement Agency.

Kessler illustrates "the old thinking" vs. "the new thinking" this way . . . (quoting Art Cummings):

The director [Mueller] said, 'We've got this new mission. Its a prevention mission.'

Pre-9/11, the first consideration was, I got an indictment in my pocket . . . slap it down on the table, pick the guy up, throw him on an airplane...put him in jail and you go, 'Okay, I've done a great job today.'"

Through interviews with Philip Mudd, Art Cummings, Pat D'Amuro, and others, Kessler makes it clear that that is no longer the situation. Now the first concern, when the suspect has a possible terrorism connection, is intelligence gathering. The Bureau's unique approach to extracting intelligence, whether it be in months long "friendly interrogations", through human surveillance teams, or through "technical collection", were explained to a level rarely seen in a public work.

While its clear Kessler is in the Fan Club with me, he doesn't skirt around the challenges. He addresses FISA, National Security Letters, the Computer Incompetency of the Bureau (Sentinel and Virtual Case File), whether we'd be better off with an MI5 style agency, Gitmo, and the various media feeding frenzies.

Most books about the Intelligence Community and the War on Terror focus on government screw-ups, incompetencies, and secret agendas and have as their mission the undermining of the public's confidence in our government. It was refreshing to read Kessler's "insider look" offering an alternative view into these issues, and I hope others will join me in checking out this book.

Saturday, July 26, 2008

First, I wanted to say that I am appalled and saddened by the news that Eddie Davidson, the escaped convict who was serving time for spam has killed his wife and three year old child before committing suicide. Many of these spammers and cyber criminals are sick sociopaths who believe they are beyond the law, but its still sad news whenever innocent lives are taken. My prayers are with the family as they grieve.

For yet another day, the Top News in spam is Old News. The "News Headline" or "Video.exe" spammers continue to dominate our in boxes.

More than 90 compromised webservers have been used in this newest attack, which uses more than 90 new email subjects to trick the public into infecting themselves.

"I Won't Raise Taxes," Says Schwarzenegger, "except For The Indians."50 Cent sues Taco BellApple nosedives on Jobs' deathArnold Says im Gay Too!Arnold Schwarzenegger to make movieAstronauts Pose With The U.S. SnoopyB52 bomber crashed in HawaiiBatman is gay. Watch the proof.Battle Of The Butts, J Lo V Britney SpearsBeijing Olympics cancelledBin Laden driver denies al Qaeda linksBlack Panthers Sue White Guys For Stealing Copyrighted GestureBlair: Im Not Gay, Thats Just My AccentBrave Suicide Bomber Survives Blast!Britney and Justin are together againBritney Clothed Photo FuryBush Accidentally Starts The War On IranBush To Reporters: Fuck The ConstitutionBush 'Troubled' by Gay Marriages. Declares San Francisco Part of 'Axis of Evil'Buy stocks now to make moneyCambodia declares war on foreignersCell phone use increases cancerClubs refuse to release players for OlympicsCourtney Love Vows To Wear ClothesEarthquake in Japan kills millionsEbay Lists Another Cheese SandwichFat Chinese Man Kills And Eats Brother Because He Was HungryFerguson fears ChelseaFour Horsemen Of The Apocalypse Unveil New Alert SystemFrench Have More Sex In Surveys Than Any Other CountryGay Marriage Could Be ProfitableGay Men Perceive Each Other As HomophobicHow to avoid paying credit cardsHow To Break Up With Your Girl, Then Get Some Bootie Time!Hurricane Dolly damages infrastructureI Liked The Part When The French Got Their Asses Busted - G.W. BushInsider tips to these stocksIT departments lauded for selling dataJoin our weekly poker tournamentsKidney stealing ring bustedMan gets pole stuck in handcuffsMcCain diagnosed with pancreatic cancerMcCain's health suspectMy Scrotum Is Getting Really Huge These DaysNew betting tips for new seasonNew National Anthem Proposed By BushObama bribes votersObama diagnosed with brain tumorObama engages rappers in election aidObama Is Anorexic Over-ExerciserObama withdraws support for IsraelObama's mistress speaks upOil prices fall sharplyOsama caught sodomizing lieutenantsOsama Seen Dining At The Paris RitzOsama trains goats for tactical bombingPamela and Britney are lesbian loversPamela Anderson To Sell Her Clothes; Announcement Causes Nationwide FrenzyPlease Baby, Give Me Another ChancePossible Spam : Shocking Video Shows Spongebob And Gay Sex!Prada gives fake bags to charityRelease Of The Nancy Pelosi Sex Dvd Causes Mass Erectile Dysfunction In UsRichard Nixon Speaks From The Grave!Right To Own Guns UpheldSarah Jessica Parker Arrested For Gross NegligeeSchool Board Adopts Gay-Ass Uniform PolicySchwarzenegger reduces minimum wagesScientists Create Prosthetic BrainShocking Video Shows Spongebob And Gay Sex!South Korea goes to war over dead touristSpongebob Denies Reports That Hes GaySteve Jobs down with cancerSteve Jobs to resign from AppleStock Markets Close As Global Earth World Planet International Buys All SharesStudies show Americans love complainingStudies show Europeans hate AsiansStudies show female bosses love flirtingStupid millionaire gives huge tipsStupid woman buys iPhone for 5000Switzerland To Be Devoured By Black HoleTerrorist bombs Philippines killing 30Texans Do The UnthinkableTheodore Roosevelt Was A Gay ManTiger Woods Will Call Next Son MonkeyTupac Shakur Speaks Out From Beyond The Grave: "Stop Releasing My Stanky Old Songs"WalMart declares bankruptcyWoman chokes after swallowing Tiffany diamondWoman found with bottle in vaginaYour tickets have been confirmed

If you are in control of any of hacked webservers, we would like very much to speak with you regarding the method of compromise. We are hearing that the servers are being compromised through FTP sessions, with a real FTP Password being used. Are these brute forces? have they "sniffed" the FTP password (which we should remember, should never be used, as it is sent across the internet in an unencrypted method!), or have they "keylogged" the FTP passwords from the users machines? We need to know!

We have looked up the "WHOIS" information on all of these domains and sent an email to each webmaster, asking for more details about their attack, and informing them of the bad content on their servers so they can get it cleaned up.

Sadly, many of these domains either do not have WHOIS information, or have expired email addresses, so even when we TRY to contact the webmaster, we are unable to do so without poring over their websites looking for contact information. If the WHOIS data were properly implemented, a simple program could inform all of these webmasters.

My favorite WHOIS data was for the domains beatmung-sachsen.eu, cmeedilizia.eu, and deliriuslaspalmas.com, which gave as the Administrative Contact:

This domain exists, but because the European Registry of Internet Domain Names (EURid) is, in our view, run by incompetent administrators who failed to properly manage the server, you cannot view the domain registration data unless you visit their Web site, www.whois.eu

Like the authors of that WHOIS data, I am not spending my time visiting the page.

Last Friday I sat in my office with a 41-page Sentencing Memo from Soloway's Defense Attorney, and told my students, "This is not going to go well."

Honestly I read the document from Richard Troberman, Attorney at Law, with some skepticism, assuming that a lawyer for a spammer may not be the most altruistic person, but many of the claims were shocking.

Troberman claimed that "90% of the claimed losses" in the case came from 12 individuals, and then proceded to SMASH their credibility. Claims such as:

Marcia Branum, who calculated that Soloway had cost her $369,500, which she calculated by saying his spam cost her "80 hours per week times nine months at $30.00 per hour", with the rest of the claim being comprised of the fact that Soloway had caused "actual loss of potential in the first year alone of over $1,000,000.00" which is what she lost by not being able to to enter into an online business with a friend in California and a "3rd cousin in Ohio who are literally making millions" because she was spending 80 hours a week dealing with Soloway spam.

or Tamra Burgess, who calculated that Soloway had cost her $328,000, based on the fact that she spent "18 hours per day, at $50.00 per hour, for 365 days responding to spam". Troberman points out that when she complained about Soloway to the Better Business Bureau, she says "I haven't lost any money".

Ronald Carter estimated his losses at $250,000. He must have received quite a bit of spam from Soloway!

Matthew Hexter claimed a loss of $48,149, which was because he had been "guaranteed" a 400% increase in sales" by buying Soloway's spamming products, and had not actually seen that increase.

Eduardo Vanci says he lost $48,740 due to a four week interruption of service. Troberman points out that would mean Vanci normally earns $588,880 per year.

Troberman proceeds through his 41 pages, sometimes admitting fault, sometimes bashing witnesses who were "quite simply, not credible", and by the time I finished the document, I told my students, "He'll still get time, but not nearly enough. If this is really what the State brought against him, they need to do their homework better next time, if Troberman is telling the truth."

As an example of how little evidence we really need in court - this case focused on a SINGLE WEEK of email messages sent to AOL subscribers by "Trill" and "Batch1". During that week, back in August of 2005, the "g00dfellas", as the duo called themselves, sent 1.2 million emails to subscribers of AOL.

"Fast Eddie", the 35-year-old Edward Davidson from Louisville, Kentucky, was sentenced to 21-months at a minimum security federal prison camp. He began his email marketing company in 2002, and became involved in "Pump and Dump" spam in 2005. Eddie was also ordered to pay $714,139 in restitution.

Apparently "Fast Eddie" didn't like prison, so while serving on a work crew on Monday, July 21st, he walked away. The U.S. Marshals Service has now taken over the search.

The Denver FBI has a press release regarding his escape on their site.

Tuesday, July 22, 2008

According to the newest version of the Storm Worm, the Amero is about to replace the dollar:

The U.S. Government began to realize the plan to replace the Dollar with the "Amero", the new currency of the North American Currency Union. Canada, the United States of America and Mexico have resolved to unit in order to resist the Worldwide Financial Crysis. You can become acquainted with the plan of the implementation of Amero, just click on the icon under this text.

Spam received July 21st and July 22nd by the UAB Spam Data Mine used subjects like these to advertise websites hosting the new malware:

Amero - the secret currencyAmero arrivesAmero currency Union is now the realityAmero is not a mythAMERO to replace DollarBye bye dollar, hello ameroCollapse of the DollarDeath of the U.S. DollarDollar is replacing by AmeroDollar is replacing by new currencyFall of the Dollar, beginning of AMERONo dollars anymoreNorth American Union is the reality nowOne Currency for Canada, U.S and Mexico - The AmeroSay Goodbye to the DollarThe Amero is hereThe Dollar disappearedThe new currency is comingWelcome the AmeroYou can forget about Dollars

According to Virus Total only 14 of 33 anti-virus products detected the new malware.

As many as 21 of these domains were hosted on a single IP address, 195.110.124.133, which is actually on the "DadaNet" hosting provider in Italy. (We've sent them a notice with the 23 domain names, including 2 others on 195.110.124.188.)

97 different Spam subjects were used by this campaign (or group of campaigns) in the past 48 hours.

Thursday, July 17, 2008

If the Anti-Virus world was run like the Chess world, we would all know Joe Stewart from SecureWorks as an International GrandMaster of Malware Analysis. One of the advantages of being an International GrandMaster of Malware Analysis is that you get to shine spotlights on really bad stuff -- and people listen! I'm talking about Stewart's excellent article in yesterday's USA Today on the Coreflood Gang. Before I returned home to find a copy of the article clipped and laying by my recliner by my dutiful paper-reading mother-in-law, I had several queries about "the Coreflood Gang", and I didn't know they even existed. Coreflood was a word from distant memory, dealing with pre-Windows XP machines for me. In fact the first searches I did took me to articles such as this 2003 Redmondmag article where Chris Belthoff from Sophos explains how the virus works. With a little digging we are able to see that the Coreflood Gang is Stewart's name for the group who is applying this virus from "ancient history" in Internet years to a new purpose and with a much higher payback. Other common names for the virus were Corefloo and AFCore.

The article, which seems a rehash of the Robert McMillan IDG article, (here from InfoWOrld): Trojan lurks, waiting to steal admin passwords, from July 2nd, is a much-needed escalation from the technical press to the general public. Unfortunately it rings an alarm bell without giving any of the necessary details to know what to do about the possibility of your own machines being infected.

It lays out a situation where Stewart was able to come into possession of a cache of data which was harvested by the trojan he has dubbed Coreflood. The server contained MORE THAN 500 GIGABYTES of stolen data in compressed form, showing evidence of 378,758 unique Coreflood infections inside thousands of organizations.

The chart that accompanies the article discusses single organizations, including hospitals, hotel chains, universities, and school districts, which had many hundreds of infections located at a single organization. The worst example was a school district where more than 31,000 computers had been infected with this trojan.

As the PC World article made clear, the reason this type of infection is possible is because of a program called "PsExec", which is a SysInternals program currently distributed by Microsoft. The purpose of PsExec is to allow a Windows Domain Administrator to perform remote administrative tasks on machines throughout their network. The thing which has made the CoreFlood trojan, first disclosed in 2001, suddenly newsworthy is its use of this tool. As Stewart explains in his Technical Analysis of Coreflood/AFCore, infected hosts lie in wait on their networks, waiting for a Domain Level Administrator to log in to the box. When the trojan detects that it has Domain Administrator privileges, it then uses its copy of PsExec to perform a remote installation on all of the other hosts where that Domain Administrator account has control. A single infected computer can then become an entire network of infected computers in a matter of minutes!

Once infected, the computer becomes part of a very professional and elaborate botnet control system, which uses an SQL Database to sift, sort, and manage all of the data which it has stolen from keyloggers and files on its infected machines. In this way the controllers of Coreflood can make simple queries to their central database of stolen data such as, "Show me a bank account on Bank XYZ, where the balance is greater than $100,000!"

As I'm sure interest will be high in this virus after the story, I thought I would give some more hints on finding the AV program articles about it. (Since googling on CoreFlood will give you 2,000 blog articles on Joe's article!)

McAfee has been following malware called CoreFlood since at least October of 2001. As recently as July 3, 2008 they mention Coreflood and the fact that a tool called JailBreak is often installed on the same computer, which is used to export items from the Windows Certificate Store. The file "sstore2K.exe" should be searched for if you are looking for recent CoreFlood infections. Their main article, which they call "CoreFlood.dr" was "recently updated to Low-Profile due to media attention", they say, referring to a PCWorld article from July 2nd on the trojan.

Symantec, like McAfee until last week, has considered Coreflood to be a "Risk Level 1: Very Low" according to their Main Coreflood article. They rate its number of infections as being "More than 1000" at a number of sites "More than 10", in the article which was posted in 2002, with updates as recently as June 20, 2008. They describe the trojan as being "primarily designed to conduct Denial of Service (DoS) attacks", which was certainly what everyone believed until Stewart's revelation.

Symantec also has a detection for webpages that try to infect visitors with Coreflood, which has been the main path of infection since at least 2003, when the exploit described in Microsoft Security Bulleting MS03-032 were used to do "drive-by" attacks on webpage visitors.

A search at Sophos finds A 2003 article on CoreFloo-C, where it describes the earlier IRC-controlled trojan, as well as a 2004 article on CoreFloo-D. They make it all the way through the alphabet several times with this one, with Afcore AJ being in August 2004. The current version seems to be named "CoreFlo", such as Troj/CoreFlo-P in January 2007, which they alias as "Backdoor.Win32.Afcore.cm", and CoreFlood.dll, and Backdoor.Coreflood.

Wednesday, July 16, 2008

How Long is the Long Arm of the Law? Its at least long enough to reach from eBay headquarters to Romania. In another example of the successful international cooperation between the FBI and Romanian Cyber officials, 22 more Romanians have been arrested for Internet Fraud Crimes.

A Romanian story with today's date has more details, for those who speak Romanian:Romanian story here: În afacerea Malware, 21 de persoane arestate. The Romanian story mentions that some of the electronic commerce sites targeted by the group included e-Bay, Equine.com, and Craigslist.com. Along with computer equipment and equipment to make false identities, the police seized mobile phones, SIM cards, and funds in Lei (romanian money), Euros, British Pounds, and US Dollars.

The arrests were made in the Romanian cities of Bucharest, Ramnicu Valcea, Sibiu, Alexandria, Dragasani, and Hundeoara. The leader of the group, Romeo Chiţă, was arrested in an apartment home belonging to a Romanian elected official, Dumitru Puzdrea. Puzdrea denied knowing anything about Chiţă's illegal activities.

One news crew was on site to see some of the hackers arrested. Here's a video taken in Râmnicu Vâlcea from yesterday afternoon. Watch to the end to see hackers in handcuffs. The accompanying Romanian News Story is getting commented on heavily - 57 comments already by this posting. Very educational. It seems the "F" word is the same in English as it is in Romanian.

Three un-named Romanian Hackers from Ramnicu Valcea:

I'll post more information as it becomes available, but congratulations to the FBI, and to the Brigada Specială de Intervenţie a Jandarmeriei, and DIICOT (Romanian organized crime and anti-terrorism squad)

Monday, July 07, 2008

What news headlines would make you click an email link, even though you KNOW you aren't supposed to do that? The authors of the newest round of Nuwar, which may or may not be the same "storm" worm that we've seen two rounds of already this month, think they know.

Based on a review of this afternoon's "infect you through news headlines", the virus authors believe you want to know about Obama, McCain, Angelina Jolie, and the new Batman movie.

The spam for malware-infection "PornTube" sites is really out of control lately.

The current trend is to hack into someone's site, leave an "r.html" file there, and then send spam with totally unrelated subjects which, when clicked on, will open very offensive porn images and also try to infect the visitor by sending them to a secret website through an "iFrame". (The iFrame redirection site, digitaltreath.info, is now down and will hopefully stay down, after nearly a month of hosting badness.)

The malware which is present on each site is a file called "video.exe", which at least several AV products (AVG, McAfee, Microsoft, Trend) are calling "Nuwar", aka Storm.

The template seems to be, pick a random subject, pick a random body line, pick a random website, with the choices I've seen today including:

Subjects===========

Actors required Sign up now

Angelina jolie shock pregnancy discovery

Angelina Jolie suffers miscarriage

Apple files for bankruptcy

Are you getting enough

Beyonce breaks up with Jay Z

Blast in Pakistan

Brad Pitt confesses to betrayal

China fires missle in Taiwan's direction

Christopher Nolan's Knight vision

Clinton withdraws support for Obama

Eminem found dead in disco toilet

Fantastic year for spanish athletes

Federer crashes out

Fight for your benefits and rights

Heath Ledger never saw the Dark Knight

Hurricane hits Caribbean islands

India plans attack on terrorists

Join our talent hunt contest

Latest gossips on celebrities

Madonna admits to extra marital affair

McCain suffers heart attack

McCain withdraws from presidential race

McCaine vows to remain celibate

Memorabilia for heroes only

Miley cyrus naked photos expose

Obtain your degree in six months

Oil falls below $100 a barrel

Party scenes with American idols

Retire a millionaire

Search for singing talents

Spielberg found dead in freak accident

Take a look only if you are worth it

The Mummy 3 movie bankrupt, release delayed

Bodies===========

A-rod admits to previous secret gay fetish

Asian girls mass Org partying

Barack Obama has been exposed to lack patriotism and shows loss of support from the masses

Can you take on two hot girls

Check out your popularity polls among colleagues

Elton John’s new lover

European girls group Org scenes

FBI surveillance team reveals trade secrets

French hospital in the south of France has admitted Hollywood actress Angelina Jolie

Fully online Master's degrees available at accessible prices

Gays in U.S military

Gun ban threatens to destroy obama's campaign

J Lo secret marriage threatens to destroy current marriage

John McCain gathers support from lackeys in Iraq and Afghanistan towards his election campaign

Kobe Bryant traded to Toronto in latest blockbuster trade

Late and great Ledger in running for posthumous Oscar award

Lindsay lohan drugged out at own birthday party

Madonna split finalized, Guy Ritchie in tears

ndia vows to find the masterminds behind the suicide attack that have killed entire embassy staff in Afghanistan

Obama belittles McCain's ability to be a presidential candidate contender at his age

Obama openly supports abortion and gay rights in bid to win more support from the masses

Oprah Winfrey announces wedding plans

Paris Hilton in new naked pictures romp at 4th of july party

Places to go for secret rendezvous

Pregnant Angelina Jolie asked the media to leave her alone while she waits to give birth to twins

President Bush latest political guffaw

Rating of stolen car for 2007

Republican John McCain admits he has no ideas how to jump start the economy and that the Democrat's stimulus plan is the way to go

Senator McCain found unconscious in toilet

Start your own business and make more money

The sky is the limit for Christian Bale as he returns for a second attempt at taming Gotham City

This week top travel destination

Videos of your neighbors making things

Videos on sports celebs and their flings

Wesley Clark snubs McCain's service as forgettable in July 4 tribute to the nation

Your colleagues are earning more than you

Websites===========PLEASE DO NOT VISIT THESE LINKS! THEY *WILL* ATTEMPT TO INFECT YOUR COMPUTER!!!!Note, all of these sites may contain legitimate business on other pages, but these "r.html" pages have been placed on these domains by a hacker. We aren't saying these sites are guilty of anything other than having bad security.

Wednesday, July 02, 2008

More details are now available about a trio of hackers who were indicted back in March on charges of stealing more than $5M from customers of ATMs. In a July 1st USA Today story few facts were revealed, but it was enough to spin the story back up in the media. I'm getting enough questions about it, I thought I would try to summarize what we know.

Kevin Poulsen had many details, including an affidavit by FBI cyber-crime agent Albert Murray and an affidavit by Ari Baranoff, a US Secret Service Electronic Crimes Task Force agent working in the Eastern District of New York, in his June 28th WIRED Blog.

Baranoff deposed Olena Rakushchynets, the wife of the primary suspect, Yuriy Rakushchynets, who was arrested February 28, 2008 in their Brooklyn residence.

The search warrant against their residence had revealed that Yuriy participated in several Internet carding forums, and had purchased information used to encode blank ATM cards, which he then used to withdraw cash from ATMs. In February 2008 alone, he withdrew approximately $750,000, and on September 30, 2007 and October 1, 2007, he took out $100,000 in the 48 hour period. They also found $800,000 in cash ($690,000 in bags in their bedroom closet), a $34,000 Mercedes, and, from the pocketbook of Olena, 51 $20 bills in sequential order. Olena also had $99,000 in three separate safe deposit boxes, and had made more than $50,000 in deposits to the Ukranian National Federal Credit Union. (See WIRED's copy of the affadavit.

Yuriy, elsewhere called "Ryabinin", a 32-year-old Ukranian immigrant, Ivan Biltse, elsewhere called "Belyayev", 30, and Angelina Kitaeva, were all named in the indictment which covered activities from October 2007 to March 4, 2008. They were charged with "Conspiracy to Commit Access Device Fraud", and that they

unlawfully, willfully, and knowingly, and with intent to defraud, in an offense affecting interstate commerce, did effect and attempt to effect transactions, with one and more access devices issued to another person and persons, to receive payment and other things of value during a one-year period the aggregate value of which is equal to or greater than $1,000.

The indictment states Forfeiture claims on $2,000,000 in property, including the $800,000 seized from Yuriy on February 29, 2008 and an additional $800,000 seized from Ivan on March 4, 2008. (See WIRED's copy of the indictment.

Ivan Biltse, of Bensonhurst, New York, was originally arraigned on March 6, 2008 after being picked up for stealing $9,624 in 12 withdrawals from a Washington Mutal Bank ATM in Bay Ridge back on October 1. According to the New York Daily News, Ivan and Yuriy (who lived in Kensington) were cousins. (See Two Brooklyn Men ripped off $5M from ATMs around globe.)

The case actually started much earlier than that, when back on October 3, 2007, according to the FBI affadavit, First Bank notified the St. Louis Secret Service office that four "iWire" Prepaid Card accounts had been compromised. On just the dates September 30 and October 1, 2007, these four accounts were used to attempt more than 9,000 withdrawals from ATMs around the world, resulting in a loss of approximately $5 Million.

First Bank provided a list of withdrawal attempts, and several hundred of them came from banks in Brooklyn, including the Washington Mutual location that we already mentioned. Transaction and surveillance video pulled from several ATMs and nearby cameras showed:

a Caucasian male making withdrawals at the times and ATM terminals indicated in the First Bank Withdrawal Information for the Compromised Accounts. In the ATM video, this male is wearing a dark blue or black baseball cap emblazoned with the words "Top Gun" and a star and wings symbol, as well as a tan-colored sweatshirt or jacket with a dark blue or black front panel and dark blue or black trim at the zipper and collar.

Separately, on February 1, 2008, Citibank informed the FBI that a Citibank server(*) that processes ATM withdrawals at 7-11 convenience stores had been breached. A fraud alert system was established to flag all uses of these accounts, and the Citibank Withdrawal Information was used in a similar method. Surveillance video was pulled for many of these transactions, and some of them, including some on February 20, 2008 at the Citibank branch at 502 86th Street in Brooklyn, were made by the same individual, wearing the same "Top Gun" hat and sweatshirt as in the October withdrawals.

(Poulsen mentions that Citibank denies a breach. The USA Today article points out that the ATMs in question were not operated by Citibank, but by two other companies, Houston-based Cardtronics, and Brookfield, Wisconsin-based Fiserv. At this point, I don't think anyone has revealed what server was actually breached.)

This individual was quickly identified as Yuriy Ryabinin / Rakushchynets, and was found to have made $750,000 in fraudulent ATM withdrawals just in the month of February. How? Investigators searched Carding forums for individuals who were trading in First Bank or Citibank ATM information. One of these individuals was listing an ICQ number for contact. The ICQ had been registered earlier by "Yuri" a "29 years old male from brooklyn, USA".

A search for the same ICQ number showed that it belonged to a ham radio operator who signed his posts in Ham Radio websites with the same ICQ number. Some of those posts included photographs of Yuri in Dayton at a convention, wearing the same sweatshirt as the individual in the Washington Mutual and Citibank ATM surveillance videos.

A further search on the Ham Radio call sign that he used in these forums found that the FCC had sent him a letter, mentioning his call sign, regarding some minor administrative violations. The letter was addressed to "Mr. Yuriy Ryabinin, 679 Coney Island Avenue 2, Brooklyn, NY 11218".

A public records search found a Florida driver's license in that name, with a matching photograph. Ryabinin also had a Michigan driver's license under the name "Yuriy Rakushchynets".

Very Nice Work, Special Agent Albert Murray.

It will be interesting to see how much of the rest of the initial $5M in First Bank transactions can be identified.

You know I had to Google around a bit and find his call sign, right?

Yuriy Rakushchynets also had a hotmail account -- n2tta@hotmail.com, which he used to post a query looking for a job "within 2 hours drive of Brooklyn, NY". I have no idea what a "CQ-Contest" is, but Yuri was very active in them apparently, listed as a "fulltime operator" for events like the "CQWW SSB Soapbox", and other places giving his name and his call sign in things like:

Yuri, N2TTA, will be active as NP2/N2TTA between February 12-19th. His activity will include the ARRL DX CW Contest (February 16-17th) as NP2S and as a Single-Op/All-Band entry. Yuri informs OPDX that he will be active on CW and SSB on all bands including 30/17/12 meters.

Tuesday, July 01, 2008

The authors of the Storm Worm must have had some good success with their "love theme" for last month's Storm Propagation Spam, because they have decided to repeat the theme today.

Right about midnight the UAB Spam Data Mine began to receive spam messages for the new Storm Worm.

After being directed to a website that looks like this:

we followed the links on the site to receive some fresh malware. How fresh was it? The executables, which were named "winner.exe" and "mylove.exe" depending on whether you follow the banner ad or the text link, were uploaded to VirusTotal where we found these results:

At our initial scan, of 33 different AV engines, only FOUR of them knew this was a virus, and only two could label it correctly. (Currently we are up to EIGHT AV products properly identifying this as storm. My university machine, which runs McAfee Anti-Virus, does not detect it with a fresh signature update.)

We have seen a wide variety of subject lines in the spam so far . . .

All I need is YouAlways on my mindCan't forget YouCan't stay away from youCrazy in loveCrazy in love with youDeep in my heartDeeply in love with youFallen for youFor you...Sweetheart!Hate that I love youHere in my heartHold you closeI give my heart to youI knew I Loved YouI'll never stope loving youI'll Never Find Someone Like YouI'll Still Love You MoreI Love Being In Love With YouI love you so much!In your armsJust you and meLost In LoveLost In Your EyesLove me tender, love me trueLovin' YouLucky to have youMadly in loveMiss you with all my heartMissing youMy heart belongs to youMy heart to yoursMy heart was stolenNot the same without youOnly Wanna Be With YouSomebody loves youStand by my sideTogether foreverWe belong togetherWith all my loveWith you by mi sideYou are always on my mindYou are in my heartYou are my worldYou are the ONEYou feel up my sensesYou have touched my heartYou make my world beautifulYou make my world special

(Yes, we actually have spam samples for every one of these domains. For most we have MANY samples. That's what the Spam Data Mine does!)

All of these domains seem to be registered with Chinese Registrar "www.bizcn.com".

They use the nameservers (ns# as the prefix on each of these, ns, ns1, ns2, etc.):

likethisone1.comlollypopycandy.comverynicebank.com

and their own domain (ns1.wholoveguide.com, etc.)

The latter nameserver, verynicebank.com, was also used during the Beijing Earthquake version of the storm worm, described by f-secure. It served as the nameserver for "grupogaleria.cn", which was used in the attack described by F-Secure in their blog on June 19th. It also served as the nameserver for "nationwide2u.cn", although we are not yet sure of the purpose of that domain name.

We are actively seeking termination of the last few domains now (most are already down).